Nginx, coturn & port 443

After a clean install, videobridge is reporting this error, adding to the one reported by jicofo:

2020-04-01 09:28:01.596 WARNING: [22] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$7#643: [MucClient id=shard hostname=localhost] error connecting
org.jivesoftware.smack.SmackException$ConnectionException: The following addresses failed: 'localhost:5222' failed because: localhost/127.0.0.1 exception: java.net.ConnectException: Connection refused (Connection refused)
        at org.jivesoftware.smack.SmackException$ConnectionException.from(SmackException.java:278)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectUsingConfiguration(XMPPTCPConnection.java:619)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:902)
        at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:383)
        at org.jitsi.xmpp.mucclient.MucClient.lambda$getConnectAndLoginCallable$7(MucClient.java:638)
        at org.jitsi.retry.RetryStrategy$TaskRunner.run(RetryStrategy.java:193)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
2020-04-01 09:28:06.613 WARNING: [22] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$7#643: [MucClient id=shard hostname=localhost] error connecting
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
<stream:error><host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text>This server does not serve auth.meet.uptivo.fit</text></stream:error>
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1059)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:748)

Here are the steps which led to success:

  1. Deinstall any jitsi software
    apt-get purge jigasi jitsi-meet jitsi-meet-web-config jitsi-meet-prosody jitsi-meet-turnserver jitsi-meet-web jicofojitsi-videobridge
  2. Install the latest stable jitsi software with selfsigned certificates
    apt-get install jitsi-meet
  3. Deinstall the turnserver software
    apt-get purge jitsi-meet-turnserver
  4. Correct/adapt the file /etc/prosody/prosody.cfg.lua - it must include more than jist three lines of include!
  5. Replace the selfsigned certificate within directory /etc/jitsi/meet/ by your official key/cert files
  6. Restart all services:
    service nginx restart
    service prosody restart
    service jicofo restart
    service jitsi-videobridge2 restart

After this, the service is running well, again.

4 Likes

Not sure to get what should be done, looking here I don’t see instructions for this file…

After the installation, the file /etc/prosody/prosody.cfg.lua looks like:

Include “conf.d/*.cfg.lua”

No yoke - that was all. After reviewing the one-and-only-left server, there are a lot of necessary definitions, like:

admins = { }
plugin_paths = { "/usr/local/lib/prosody/modules" }

....
--
Include "conf.d/*.cfg.lua"

After adapting this file, the new setup works fine.

Hi, question: if I install from scratch (no nginx pre-installed), I have no problems with turn. What are the consequences of removing TURN? Isn’t it needed to relay video for people at home behind NATs?

For our setup it works even for users behind NAT firewalls.

Turn will be used in case of networks with blocked udp, or restrictive firewalls allowing only real https traffic on port 443. We used to be running jetty before, which was not able to handle the second case and it was performing bad in some cases while serving files.

Removing the turnserver works even for existing installations. After that the nginx module is gone and you can modify the nginx site configuration back to 443.
After that I can restart nginx and jitsi, accessing both websites via 443 again.

For me it’s working with using port 4444 for block server (ssl). I just wonder, why sometimes the port seems to be set automatically and why in other install I have to change it by hand? Which part of install script handle this?
Also I wonder, can we set http2 or not recommended?

Note @damencho : There is a new stable release of this morning which leads again to an more-or-less empty file /etc/prosody/prosody.cfg.lua on Debian 10.2 with two lines:

Include “conf.d/*.cfg.lua”

If I replace this tiny file with the definitions from my recent (well-working) installation, the infrastructure runs well again (still missing the load balancing feature … but that’s another story)

Hey guys!
I’ve been working on these issues for last couple days. Man, what a wreck…
I have managed to install new clean Jitsi installation on new server. Couple things:

If you are using same old Jitsi quick install guide, please note that Nginx has to be installed BEFORE Jitsi, because the Jitsi will check for Nginx before configuring its new COTURN server, and if it doesn’t find it, it wont. (I know what you thinking: Jitsi installs Nginx by itself! Well, yes, but it installs it after checking for it, and therefore NOT configuring COTURN server. Yep, geniuses… :slight_smile: )

I have a question as well. What ports should actually be opened? I have opened 80, 443 and my ssh port. But there are so many changes now, I am confused and not sure if I should open anything else, like 4444, or 4445?
And I noticed that default config now uses Jitsi STUN server. Does this installation also installs STUN server together with TURN? Can I use my own STUN server, if so then how do I set it up, what port does it use?

Please assist here.

Thanks!

1 Like

It’s wrote also in the quick install guide to have it before :grin:

  • 22 ssh TCP
  • 80 http TCP
  • 443 https TCP
  • 10000:20000 UDP

Be aware to not use something other that collide with actual ports in use, for example I always use Webmin and it use 10000 both TCP and UDP, in that case I needed to swith his ports from the panel before installing jitsi.

Hey Rubens!
Just to confirm:
“<…> If none of the above is found it then defaults to Nginx. If you are already running Nginx on port 443 on the same machine you better skip the turnserver configuration as it will conflict with your current port 443, so use the command apt install --no-install-recommends jitsi-meet .”

So it defaults to Nginx, meaning Nginx is installed by Jitsi, when no http server is found. But the only issue with this auto installation is that it sets up Nginx AFTER trying to configure COTURN. It doesn’t find Nginx so COTURN is left without configuring it. If only they would change it to finishing Nginx setup before setting up COTURN, then the COTURN would also be configured in that case when someone is installing Jitsi with no Nginx present.
Now, if you install Jitsi with no http server (No Nginx) present, you will get this:

Setting up nginx-full (1.14.2-2+deb10u1) ...
Setting up jitsi-meet-turnserver (1.0.3969-1) ...
------------------------------------------------

turnserver not configured as no nginx found to multiplex traffic

------------------------------------------------
Setting up nginx (1.14.2-2+deb10u1) ...

So ports remain all the same? Jitsi have configured Nginx (automatically) to listen for port 4444 now, instead of 443. That is confusing for me. Is this some kind of internal ports (4444, 4445) it’s listening on then?

Cheers!

As far as I know, NGINX isn’t installed by default but it’s used the Java webserver (really bad), the 443 collision is in chase you have nginx AND a website running on 443 :slight_smile:

In my experience (10 installs in last 3 days) I’d really suggest to install nginx before.

4444 and 4445 are used internally, doesn’t communicate with web, I guess.

Rubens: it does install Nginx by default. It says so in Quick Install guide too. I also have installed it 10 times in last couple days… :slight_smile:

Ow ok, good to know.

Video tutorial maybe it’s too old, plus I did some installs during the turnserver bug that made me crazy since on one server was working and the same stuff done on another didn’t :laughing:

1 Like

Trust me, your’e not the only one who was going crazy… :slight_smile:
I mean I do appreciate Jitsi team’s work, but releasing UNSTABLE version as STABLE, not even testing it properly is a bit lame. ;/

just a bit

when I’ve discovered why my brain said: FFFUUUUUUUU… (you know the rest)

im guessing this issue with the latest stable is why my haproxy gets a 502 when forwarding to jitsi.

the nginx log shows the web traffic from the haproxy seems to then get proxied by nginx to the 4445

from nginx error log- (192.168.1.254 is haproxy)
2020/04/04 21:09:09 [error] 1255#1255: *2323 recv() failed (104: Connection reset by peer) while proxying and reading from upstream, client: 192.168.1.254, server: 0.0.0.0:443, upstream: “127.0.0.1:4445”, bytes from/to client:713/168, bytes from/to upstream:168/1230

would love some clear instructions on exactly how to run jitsi on ubuntu with nat via haproxy.

i have a single internet IP address, 443 is forwarded to HAPROXY which does a heap of url and path based proxying. Jitsi is on a ubuntu box. Based on that architecture:

  1. do i install nginx first?
  2. do i do a vanilla apt-get install jitsi-meet?
  3. do i only need to add videoserver settings as per https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md#advanced-configuration
  4. what udp ports are actually in use. some doco says only 10000 some say 10k-20k.
  5. what tcp ports need to be open from the internet.
    i love the software btw, but i would also love to start using it :slight_smile:
    cheers

I upgraded from jvb1 (installed by itself with jetty as server, no apache or nginx) and jitsi installed nginx by itself (‘upgraded’ jetty to nginx), so it does not seem necessary.

I had done a vanilla install of jvb1 and did a vanilla upgrade to jvb2.

this is essentially what I did, the other changes were to get additional functionality.

10000 only.

I proxy from my main nginx install on the host (having a similar role to your haproxy) to the nginx installed in the LXD jitsi container; I have edited the container nginx conf file (created by jitsi upgrade) to drop the ssl so I have a classical setup, the main nginx on the host does the ssl stuff, it has exposed its 443 port to the internet (of course) and it proxies to the container on port 80 doing simple HTTP (the container port 80 is not exposed to the internet). The host port 10000 (and only this port) is NATted to the container port 10000.
By and large I have a similar setup to the one I had with jvb1, the port 443 is managing https jitsi through a reverse proxy, and the 10000 port is directly exposed. The only change is that the jitsi container is exposing a HTTP port managed by nginx instead of jetty. It’s probably not a high performance setup but my hardware is not so great so I can’t hope to manage dozens of clients anyway.

About coturn, it seems only necessary if you can’t expose port 10000 but it’s said to be less performant and it seems a royal pain to setup so I dropped it without mercy.